The next President of the United States will begin their term in the midst of dramatic transitions happening across the world. This isn’t about the deficit or foreign policy or climate change. Advisors well versed in strategies related to those issues surround the President.
What needs to be addressed is the global transition to a digital economy. This change is affecting every aspect of our society, from how businesses generate profit to how individuals live their lives and interact socially. The digital economy and society combine technologies and services to unlock new value in the form of better quality of life and better business outcomes. It is affecting every economic sector, from manufacturing to healthcare to finance to energy. It is changing what people do for a living, how they spend their leisure time, and where and how they spend their money, get educated, and even raise their children. The reality is that we haven’t seen such a complete and dramatic change since at least the advent of the industrial revolution, and frankly, the speed of change is unprecedented in human history.
Along with this change comes increased risks. In the rush by individuals and organizations to adopt the new tools and technologies of the digital economy, security seems to have taken a back seat. In many cases, legacy security solutions are ill-equipped to address these new challenges. For example, according to Gartner, it is estimated that by 2018 25% of corporate data traffic will bypass perimeter security (up from 4% today) and flow directly from mobile devices to the cloud, and the need to prevent data breaches from public clouds will drive 20% of organizations to develop their own data security governance programs. And by 2020 more than 25% of identified enterprise attacks will involve IoT, though IoT will account for only 10% of IT security budgets.
The historical challenge with government trying to address these issues is that the legislative process is purposefully designed to be slow, so any regulations tend to either be too generic to be enforceable, or so specific that they are quickly out of date. However, there are a number of areas that can be addressed to get out ahead of the new security challenges that could seriously disrupt the emerging digital economy.
1) Cybersecurity Advisory Council – Expand the role and function of the administration’s Commission on Enhancing National Cybersecurity to include more cybersecurity professionals and developers to enhance and promote industry-specific security standards and best practices, provide real-time guidance on how to respond to fast moving or consumer-facing issues, and establish accountability for failure to appropriately prepare for a cyberattack.
In the physical world, a business has to meet certain standards, such as building codes or health inspections, in order to open a store for business.. For standards and best practices, the current NIST cybersecurity framework and industry standards such as PCI-DSS are good starts. But the growth of smart devices, IoT networks, connected devices, big data, smart buildings and cities, and interconnected critical infrastructures continue to dramatically change our social and financial landscape, and have correspondingly expanded the risk facing our growing digital economy. Guidelines need to be expanded for these new industries and markets, business security certification processes need to be developed, and security training standards and incentives need to be implemented to close the growing security skills gap.
2) Accelerate Information Sharing - We won’t be able to respond fast enough to emerging threats without good threat intelligence. And that means information sharing between organizations responsible for our critical infrastructure. The Cybersecurity Act of 2015 established a framework for the sharing of information on cybersecurity threats and defensive measures among private sector entities and between the private sector and the government, and encourages the voluntary participation in informal bodies like ISAOs. But organizations still only share a fraction of the intelligence that is needed.
Too many industries and organizations are still understandably skittish about sharing information. It’s time to establish governing bodies that can set information sharing standards for critical industries, and insist on auditing and certifications of compliance.
3) Accountability – The risks imposed on consumers and the economy due to cybercrime is well understood. It is time for organizations to accept greater accountability for data breaches, especially those affecting consumers’ financial or personal data. The recent massive Mirai denial of service attack, largely based around vulnerable IoT devices, is a perfect example. Security professionals have been issuing warnings about the lax security standards for connected devices, and the dire consequences billions of such devices pose. Unfortunately, those industries building IP-enabled appliances and devices have generally failed to respond. Their development and manufacturing models often do not adequately account for risk, or the speed at which modern threats can escalate. But as a society, we simply cannot afford to let the cost of a security breach and associated fines simply be rolled into the cost of doing business.
Accountability is fundamental, and is beginning to move upstream. For example, the SEC’s Office of Compliance Inspections and Examinations (OCIE) now examines financial services institutions to ensure that governance and risk assessment measures are in place to mitigate cyber risk. And former SEC commissioner Luis Aguilar argued that corporate directors could be held personally liable for cyber breaches if they fail to ensure that appropriate cybersecurity is in place. Establishing stricter standards for accountability need to be considered.
4) Business Incentives – To properly motivate organizations, financial incentives need to be established to encourage businesses to meet security standards. This could include requiring cyber insurance for a company that has been breached, and a path for reducing cyber insurance premiums based on meeting a series of established security standards. Publicly traded companies should also be required to clearly post penalties and progress towards compliance in quarterly and annual financial reports.
Another such approach would be to establish a business security rating that is shared publicly. A scaled rating system shared with consumers, based on an organization’s meeting security standards set by the cybersecurity advisory council, would motivate businesses to achieve certification, implement stronger security standards, and advertise them as a business differentiator.
Security differentiation would be revenue generating, and inevitably create a safer environment for everyone. This same approach has been very successful in the automotive industry. The introduction of air bags, for example, not only drove the decisions of safety conscious buyers, but buyer behavior combined with compliance requirements motivated the entire industry to adopt these standards. Now there is a race to include more and better safety equipment, such as traction and stability control, cameras, accident avoidance systems, and environment monitoring technologies. And as a result, auto accident related deaths and injuries are at an all time low.
5) Public Awareness - Finally, we need to encourage risk-based situational awareness campaigns for companies and consumers. There have been massive public campaigns designed to encourage people to reduce risky behavior in other areas of national interest, such as warning of the risks of smoking, or texting and driving. And they work. We need something like this for cyberspace.
We recommend funding a series of public awareness campaigns designed to raise consumer intelligence about cybersecurity. Raising the national profiles of October as National Cyber Security Awareness Month, would help, as would the commissioning and placement of a series of public service announcement ads on television, online, and in print. While security standards and strategies need to take into account that people have and will continue to engage in risky online behavior, developing awareness campaigns will improve security generally and make everyone’s job easier.
Next, establish local cybersecurity agencies and offerings along the lines of a health clinic, such as that provided to Federal agencies and critical infrastructure organizations by the Department of Homeland Security’s National Protection and Programs Directorate. Local versions of such an agency could offer educational programs and information, issue warning about threats and viruses, and provide reduced-cost services for businesses and users, such as security checkups, device “vaccinations,” and troubleshooting based on need.
And finally, the establishment of cybersecurity training in public school STEM/STEAM programs for every student in grades K-12. We need to raise a generation of technology-savvy citizens and consumers who understand the fundamental necessity of integrated and adaptive security built into the cyberworld that increasingly surrounds them and permeates every aspect of their lives.